b'          INDEPENDENT EVALUATION PURSUANT TO THE\n        GOVERNMENT INFORMATION SECURITY REFORM ACT\n                     FISCAL YEAR 2001\n\n               SENSITIVE BUT UNCLASSIFIED SYSTEMS\n\n                 OFFICE OF THE INSPECTOR GENERAL\n                        EXECUTIVE SUMMARY\n\n      The Government Information Security Reform Act (GISRA) required\nthe Office of the Inspector General (OIG) to perform an independent\nevaluation of the U.S. Department of Justice\xe2\x80\x99s (Department\xe2\x80\x99s) information\nsecurity program and practices. This report summarizes the results of the\nevaluation for the Department\xe2\x80\x99s sensitive but unclassified (SBU) systems for\nFY 2001. Separate reports were issued for each of the individual systems\nevaluated. The OIG is also issuing a report summarizing the results of the\nDepartment\xe2\x80\x99s classified systems.\n\n      The OIG took an ambitious approach to fulfill the GISRA requirement by\nperforming individual audits on a subset of Department systems. The OIG, in\nconjunction with Department management, selected four classified and five\nSBU systems to audit from the universe of Department systems for fiscal year\n2001. Systems selected were mission critical and representative of differing\nsystem configurations (both client/server and mainframe) and operating\nsystems (UNIX, Novell, Windows NT, and OS/390).\n\n      Under the direction of the OIG and in accordance with Government\nAuditing Standards, PricewaterhouseCoopers LLP conducted the assessment\nof the Department\xe2\x80\x99s overall computer security program and practices for the\nSBU systems by performing individual audits of five systems maintained by\nthe Federal Bureau of Prisons (BOP), Drug Enforcement Administration\n(DEA), Executive Office for U.S. Attorneys (EOUSA), and Justice\nManagement Division (JMD).\n\n                    SBU Systems Selected for Audit\n\n    Component                            System\n    BOP           BOP Network (BOPNet)\n    DEA           El Paso Intelligence Center Information System (EIS)\n    DEA           Firebird\n    EOUSA         Justice Consolidated Office Network II (JCONII)\n    JMD           Rockville and Dallas Data Centers (JDC)\n\n\n                                    -i-\n\x0c       The audits consisted of interviews, on-site observations, and reviews\nof Department and component documentation to assess the system and\ncomponent compliance with GISRA and related information security policies,\nprocedures, standards, and guidelines. Commercial-off-the-shelf and\nproprietary software were used to conduct security tests and analyses of\nsignificant operating system integrity and security concerns.\n\n       The audits of the SBU systems revealed vulnerabilities with\nmanagement (M), operational (O), and technical (T) controls. The auditors\nassessed these vulnerabilities at a high to low risk to the protection of each\nsystem and the data stored on it from unauthorized use, loss, or\nmodification. Specifically, vulnerabilities were noted in the following areas:\n\n                       Audit Results of SBU Systems\n\n                                  Control\n     Areas of Vulnerability        Type BOPNet EIS Firebird JCONII JDC\nSecurity Policies and Procedures    M     3     3     3       3     3\nAuthorization of Software Changes   M                               3\nRisk Assessment Reporting           M     3     3     3\nContingency Planning                O           3     3             3\nSystem Backup Procedures            O                 3       3\nSystem Configuration                O           3     3       3\nPassword Management                  T    3     3     3       3     3\nLogon Management                     T    3     3     3       3     3\nAccount Integrity Management         T          3     3       3     3\nSystem Auditing Management           T          3     3       3     3\n\n      Overall, the GISRA audits found that Department-level and component\nsecurity policies and procedures were either insufficient or unenforced. The\nauditors concluded the Department did not provide timely and effective\noversight to ensure implementation of its security policies. For example, the\nDepartment took nearly four years to revise its overall security policy, DOJ\nOrder 2640.2D \xe2\x80\x9cInformation Technology Security,\xe2\x80\x9d after reporting it as\nineffective in September 1997. In several areas of identified vulnerabilities,\nbroadly stated or minimally imposed standards allowed system security\nmanagers too much latitude in establishing system settings, and\nconsequently systems were not fully secured.\n\n\n\n\n                                      - ii -\n\x0c       To address these deficiencies, we recommend granting responsibility\nto a single point of contact in the office of the Assistant Attorney General for\nAdministration to oversee, standardize, implement, and maintain strict\nbaseline Department-wide security controls over both SBU and classified\nsystems. This contact also would serve as a liaison between the Information\nManagement and Security Staff, the Security and Emergency Planning Staff,\nand the Assistant Attorney General for Administration. Among our\nrecommendations are:\n   \xe2\x80\xa2   enforce Department security policies at each component such as\n       passwords, account lockout, and system auditing management;\n   \xe2\x80\xa2   ensure that all components have current, documented, and tested\n       contingency plans;\n   \xe2\x80\xa2   develop a comprehensive corrective action plan to address weaknesses\n       previously identified;\n   \xe2\x80\xa2   ensure periodic computer security training is provided for each\n       platform supported;\n   \xe2\x80\xa2   ensure systems\' security is monitored sufficiently, efficiently, and\n       consistently, including:\n       a) automated monitoring of security policy compliance and auditing of\n          security relevant events;\n       b) requiring intrusion detection testing and application and operating\n          system patches be kept current.\n   \xe2\x80\xa2   ensure that periodic updates supplement DOJ Order 2640.2D based on\n       observed component needs, the evolving computer security\n       environment, and industry best practices.\n\n\n\n\n                                      - iii -\n\x0c                                  TABLE OF CONTENTS\n                                                                                             Page\n\nINTRODUCTION .................................................................................. 1\n\nFINDINGS ......................................................................................... 3\n\nI.     MANAGEMENT CONTROLS ............................................................ 3\n           Security Policies and Procedures ........................................... 4\n           Authorization of Software Changes........................................ 5\n           Risk Assessment Reporting .................................................. 5\n\nII.    OPERATIONAL CONTROLS ............................................................ 6\n           Contingency Planning .......................................................... 6\n           System Backup Procedures .................................................. 6\n           System Configuration .......................................................... 7\n\nIII.   TECHNICAL CONTROLS................................................................ 8\n           Password Management ........................................................ 8\n           Logon Management............................................................. 9\n           Account Integrity Management ........................................... 10\n           System Auditing Management ............................................ 10\n\nCONCLUSION ................................................................................... 11\n\nAPPENDIX I       - BACKGROUND ............................................................. 14\n\nAPPENDIX II - OBJECTIVE, SCOPE, AND METHODOLOGY ....................... 17\n\nAPPENDIX III - RECOMMENDATIONS ................................................... 18\n\nAPPENDIX IV - VIEWS OF RESPONSIBLE OFFICIALS\n              AND STATUS OF REPORT .............................................. 21\n\x0c                                               INTRODUCTION\n\n      The fiscal year 2001 Defense Authorization Act (Public Law 106-398)\nincludes Title X, subtitle G, \xe2\x80\x9cGovernment Information Security Reform Act\xe2\x80\x9d\n(GISRA). GISRA became effective on November 29, 2000, and amends the\nPaperwork Reduction Act of 1995 by enacting a new subchapter on\n"Information Security." It requires federal agencies to:\n      \xe2\x80\xa2    Have an annual independent evaluation of their information security\n           program and practices performed.\n      \xe2\x80\xa2    Ensure information security policy is founded on a continuous risk\n           management cycle.\n      \xe2\x80\xa2    Implement controls that assess information security risks.\n      \xe2\x80\xa2    Promote continuing awareness of information security risks.\n      \xe2\x80\xa2    Continually monitor and evaluate information security policy.\n      \xe2\x80\xa2    Control effectiveness of information security practices.\n      \xe2\x80\xa2    Provide a risk assessment and report on the security needs of the\n           agencies\xe2\x80\x99 systems, and include the report in their budget request to\n           the Office of Management and Budget (OMB).\n\n         In June 2001, the OMB issued \xe2\x80\x9cReporting Instructions for the\nGovernment Information Security Reform Act,\xe2\x80\x9d requiring the submission of\nan executive summary and a section characterizing the results of the OIG\nindependent evaluation, by September 10, 2001.1 The OIG coordinated\nGISRA work with the Department to promote communication and avoid\nduplication as the Department concurrently conducted program reviews to\nfulfill its GISRA obligations. The OIG also held briefings to keep Department\nand component management apprised of the audit results.\n\n      The OIG contracted with PricewaterhouseCoopers LLP to conduct the\nassessment of the overall computer security program and practices for the\nDepartment\xe2\x80\x99s sensitive but unclassified (SBU) systems. The objective was\nto determine the Department\xe2\x80\x99s compliance with the requirements of GISRA.\nTo accomplish this objective, individual audits were performed on five SBU\nsystems chosen by the OIG in consultation with Department management:\nthe Drug Enforcement Administration\xe2\x80\x99s Firebird and El Paso Intelligence\nCenter Information System, the Federal Bureau of Prisons Network, the\nExecutive Office for U.S. Attorneys\xe2\x80\x99 Justice Consolidated Office Network II,\nand the Justice Management Division\xe2\x80\x99s Rockville and Dallas Data Centers.\n\n\n\n\n1\n    The OIG began the GISRA audits in April 2001, prior to the availability of OMB\xe2\x80\x99s GISRA reporting instructions.\n    Therefore, our audits did not specifically address, and we do not report on, all of the instruction\xe2\x80\x99s 13 requested\n    questions. However, we expect to include all 13 questions in the scope of our 2002 GISRA reviews.\n\n                                                          -1-\n\x0c      The auditors reviewed management, operational, and technical\ncontrols by interviewing component management personnel, reviewing\nsystem documentation, and performing testing. The audits were performed\nin accordance with Government Auditing Standards and were conducted\nbetween April and August 2001. The audit approach was based on the\nGeneral Accounting Office\xe2\x80\x99s Federal Information System Control Audit\nManual, the Chief Information Officer Council Framework, and guidance\nestablished by the National Institute of Standards and Technology.\n\n      The OIG has routinely performed computer information security audits\nwithin Department components. Since 1996, the OIG also reviewed\ncomputer security program requirements annually as part of the financial\nstatement audit process. For the GISRA audits, special emphasis was placed\non reviewing vulnerabilities previously identified and verifying that\nappropriate corrective measures were implemented.\n\n       The GISRA audits of SBU systems revealed vulnerabilities with\nmanagement, operational, and technical controls. The auditors assessed\nthese vulnerabilities at a high to low risk to the protection of each system\nfrom unauthorized use, loss, or modification. Vulnerability assessments2\nwere used to assess operational and technical controls of the SBU systems\nand identified serious deficiencies including weak password controls,\ninappropriate user privileges, improper intruder detection settings, and\nineffective system auditing. Since technical controls prevent unauthorized\naccess to system resources by restricting, controlling, and monitoring system\naccess, we concluded that these vulnerabilities were the most significant.\n\n      The Department\xe2\x80\x99s Justice Management Division Information\nManagement and Security Staff (IMSS) is responsible for providing guidance\non security issues related to the Department\xe2\x80\x99s SBU systems. This includes\nmonitoring components\xe2\x80\x99 compliance with the provisions of the Department\xe2\x80\x99s\nsecurity policy and applicable Federal statutes, policies, and regulations as\nthey apply to SBU computer systems. The IMSS has conducted network\nsecurity penetration testing of SBU systems at Department components for\nthe past four years.\n\n      A summary of the individual audit results previously reported is\ndetailed in the Findings section of this report. Appendices I and II provide\nbackground on the systems selected and the objective, scope, and\nmethodology for the audit.\n\n\n2\n    A vulnerability assessment is a security test in which evaluators analyze system settings and security features,\n    based upon their understanding of the system design and implementation. A determination is then made as to\n    whether the system is optimally configured and appropriate security controls are in place. Unlike penetration\n    testing, vulnerability tests do not attempt to circumvent the security features of a system and gain entry.\n\n                                                        -2-\n\x0c                                       FINDINGS\n\n      The Department\xe2\x80\x99s computer security program needs\n      improvement to fully protect its SBU systems from unauthorized\n      use, loss, or modification. Audits of five SBU systems disclosed\n      vulnerabilities in management, operational, and technical\n      controls as shown in the table below. Department-level and\n      component security policies and procedures were insufficient or\n      unenforced. The Department did not adequately: (1) identify\n      and assess risks to determine needed security measures; (2)\n      establish and implement policies and controls to meet those\n      needs; (3) promote awareness so that users understand the\n      risks and the related policies and controls required to mitigate\n      them; or (4) monitor and evaluate established policies and\n      controls to ensure that they were both appropriate and effective.\n\n           Control Type              BOPNet   EIS    Firebird     JCONII    JDC\n    MANAGEMENT CONTROLS                3       3        3           3        3\n    OPERATIONAL CONTROLS                       3        3           3        3\n    TECHNICAL CONTROLS                 3       3        3           3        3\n\nI. MANAGEMENT CONTROLS\n\n      Management controls are techniques and concerns normally addressed\nby officials with responsibility for an organization\'s computer security\nprogram. In general, these controls manage the computer security program\nand the risk within the organization.\n\n       Security policies, procedures, standards, and guidelines are the primary\nmeans by which management communicates goals and requirements. To be\neffective, compliance must be overseen and enforced. The related policies\nshould encompass all major systems and facilities. The policies should outline\nthe duties of those who are responsible for overseeing security as well as the\nresponsibility of those who own, use, or rely on the entity\xe2\x80\x99s computer resources.\n\n      The Department did not provide timely and effective oversight of SBU\nsystems by informing users of the risks and the controls required to mitigate\nthem or enforcing its own policies. Specifically, the audits disclosed\nvulnerabilities in the following areas:\n\n     Areas of Vulnerability          BOPNet   EPIC     Firebird    JCONII     JDC\n Security Policies and Procedures      3       3          3          3         3\n Authorization of Software Changes                                             3\n Risk Assessment Reporting              3       3         3\n\n                                        -3-\n\x0cSecurity Policies and Procedures\n\n       The Department established uniform policy, DOJ Order 2640.2C,\n\xe2\x80\x9cTelecommunications and Information System Security,\xe2\x80\x9d dated\nJune 25, 1993, for the protection of its automated information systems.\nDespite the rapid evolution of computer technology, this policy remained in\neffect and unchanged, governing the Department\xe2\x80\x99s information systems\nsecurity environment for eight years. In a September 1997 audit, Report\nNo. 97-26, \xe2\x80\x9cComputer Security at the Department of Justice,\xe2\x80\x9d the OIG noted\nthe Order\xe2\x80\x99s shortcomings and recommended that the Department develop\neffective computer security program guidance. However, the Department\ndid not revise its policy, DOJ Order 2640.2D, \xe2\x80\x9cInformation Technology\nSecurity,\xe2\x80\x9d until four years later, in July 2001.\n\n      Although DOJ Order 2640.2D addresses many areas of identified\nsystem security vulnerabilities, the guidance remains insufficient for the\nprotection of Department information systems. The Order imposes minimal\nstandards that are broadly stated, allowing components and system security\nmanagers too much latitude in establishing system settings. To ensure\nuniform system security, DOJ Order 2640.2D needs more details in the\nfollowing areas:\n  \xe2\x80\xa2   backup procedures;\n  \xe2\x80\xa2   access controls;\n  \xe2\x80\xa2   assignment of user rights and advanced user rights;\n  \xe2\x80\xa2   password management (including task versus user accounts);\n  \xe2\x80\xa2   service accounts - changing the default password;\n  \xe2\x80\xa2   logon management;\n  \xe2\x80\xa2   renaming guest and administrative accounts;\n  \xe2\x80\xa2   account integrity management, including monitoring of account\n      disposition (dormant accounts); and\n  \xe2\x80\xa2   accountability and audit trails.\n\n      Department-level guidance regarding the adequate, efficient, and\nconsistent monitoring of SBU systems\' security is also lacking. Specific\nareas that need addressing immediately are:\n  \xe2\x80\xa2   automating the monitoring of security policy compliance;\n  \xe2\x80\xa2   requiring timely software patch application;\n  \xe2\x80\xa2   requiring intrusion detection testing; and\n\n\n                                         -4-\n\x0c      \xe2\x80\xa2   automating the logging, auditing, review and notification of security\n          relevant events.\n\n      Components are responsible for supplementing Department policy with\nmore detailed written security policies, procedures, standards, and\nguidelines. Component and system level policies were also found to be\ninconsistently applied and ineffective. For all five systems audited, we found\nvulnerabilities attributed to inadequate security policies and ineffective\nenforcement. In addition, the OIG previously reported system security\nvulnerabilities attributable to unenforced and insufficient security policies on\ntwo systems that were not corrected.\n\nAuthorization of Software Changes\n\n      System software change management process provides for proper\ndocumentation and authorization of software changes, acceptance testing,\nmanagement review and approval of changes and acceptance test results,\nand a controlled procedure for introducing tested and approved changes into\nproduction.\n\n          For the five systems reviewed, we found:\n      \xe2\x80\xa2   One system\xe2\x80\x99s software change management process did not document\n          approvals or installation and back-out plans.3\n\nRisk Assessment Reporting\n\n      A risk is the possibility that a threat adversely impacts an information\nsystem by taking advantage of vulnerabilities. Thus, a risk assessment is a\nformal description and estimate of risk to an information system. After risks\nare identified, management should apply countermeasures relative to the\nseverity of the threat and priority of asset protection.\n\n          For the five systems reviewed, we found:\n      \xe2\x80\xa2   Two systems had vulnerabilities identified through risk assessments\n          that were not corrected because appropriate management personnel\n          never received the report or addressed its results.\n      \xe2\x80\xa2   One system\xe2\x80\x99s risk assessment was outdated and did not reflect\n          subsequent changes to the operating environment. As a result,\n          management was unaware of potential system security exposures.\n\n\n\n3\n    Back-out plans are operator instructions for rolling-back new changes at implementation due to operational\n    problems and restoring the previous software versions.\n\n                                                       -5-\n\x0cII. OPERATIONAL CONTROLS\n\n       Operational controls address security controls that are implemented\nand executed by people to improve the security of a particular system, often\nrequire technical or specialized expertise, and rely upon management\nactivities as well as technical controls.\n\n      The auditors assessed the effectiveness of operational and technical\ncontrols by using commercial-off-the-shelf and proprietary software to\nconduct vulnerability assessments of the systems. A vulnerability\nassessment is a security test in which evaluators analyze system settings\nand security features based upon their understanding of the system design\nand implementation. A determination is then made as to whether the\nsystem is optimally configured and appropriate security controls are in place.\nUnlike penetration testing, vulnerability assessments do not attempt to\ncircumvent the security features of a system and gain entry.\n\n       The audits identified vulnerabilities in the following areas:\n\n          Area of Vulnerability   BOPNet EIS Firebird JCONII JDC\n         Contingency Planning             3     3             3\n         System Backup Procedures               3       3\n         System Configuration             3     3       3\n\nContingency Planning\n\n      Effective contingency planning ensures continued operations by\nminimizing the risk of events that disrupt normal operations and by having\nan approach in place to respond to those events if they occur. Department\npolicy requires that contingency plans be reviewed and approved by\nmanagement.\n\n      Three of the five systems tested had one or more of the following\nvulnerabilities:\n   \xe2\x80\xa2   Restoration priorities were not identified and an interagency\n       agreement did not exist for the alternative processing site.\n   \xe2\x80\xa2   Contingency plans were not properly reviewed or approved.\n   \xe2\x80\xa2   Contingency plans were not tested.\n   \xe2\x80\xa2   Contingency plan training was not conducted.\n   \xe2\x80\xa2   The OIG previously reported a contingency planning vulnerability on\n       one system that was not corrected.\n\n\n                                       -6-\n\x0cSystem Backup Procedures\n\n       Backup procedures, including backup tapes, protect information\nresources, minimize the risk of unplanned interruptions, allow for recovery of\ncritical operations when interruptions occur, and ensure on-going availability\nof critical system operations.\n\n       Industry best practices dictate that a backup storage location be\noff-site and far enough away from the primary location to avoid being\nimpaired by the same events, such as fires, storms, and electrical power\noutages. Storing backup data tapes in the same location as the primary\ndata risks completely losing all data in the event of a disaster.\n\n       For two of the five systems tested, we found:\n   \xe2\x80\xa2   Backup tapes were not stored off-site, rendering backup data\n       vulnerable in the event of a disaster at the primary location.\n\nSystem Configuration\n\n      System configuration is the process of managing security features and\nassurances by regulating and monitoring changes made to hardware,\nsoftware, firmware, and documentation throughout the lifecycle of an\ninformation system.\n\n      The Department\xe2\x80\x99s security policy requires that computer systems\noperate so that users have access to the information they need but no more\nand requires each computer system to have features or procedures to\nenforce access control measures required for the information in the system.\nVulnerabilities with system configuration increase the risk that unauthorized\nusers view, delete, or modify critical files, database intelligence data, or\ndirectory contents.\n\n    For three of the five systems audited, we found one or more of the\nfollowing vulnerabilities:\n   \xe2\x80\xa2   Network administrators were assigned inappropriate file permissions\n       and user rights.\n   \xe2\x80\xa2   Network File System (NFS) directories were mounted with\n       inappropriate parameters, exported to users with read/write privileges,\n       and exported to domains without fully qualified domain names.\n   \xe2\x80\xa2   Highly vulnerable services were running on the networks.\n   \xe2\x80\xa2   The latest manufacturer\xe2\x80\x99s patches were not installed.\n\n\n                                     -7-\n\x0c   \xe2\x80\xa2   Versions of operating system software that are no longer supported by\n       the vendor were used.\n   \xe2\x80\xa2   Supporting software versions differed between development, test, and\n       production environments.\n\n      The operational control vulnerabilities occurred due to a lack of\nDepartment and component guidance establishing and requiring appropriate\nsystem security standards and settings. Components did not adequately\nimplement existing Department guidance, increasing the risk of\nunauthorized users obtaining access to system resources and exposing\nsensitive information to unauthorized use, loss, or modification.\n\nIII. TECHNICAL CONTROLS\n\n       Technical controls focus on the security controls that the computer\nsystem executes. Technical controls require significant operational\nconsiderations, should be consistent with the organization\xe2\x80\x99s security\nmanagement, and depend upon the proper functioning of the system to be\neffective. Technical controls prevent unauthorized access to system resources\nby restricting, controlling, and monitoring system access and detecting and\nrecording security related events.\n\n      The audits identified vulnerabilities with technical controls in the\nfollowing areas:\n\n       Area of Vulnerability     BOPNet     EIS    Firebird    JCONII        JDC\n  Password Management              3         3        3          3            3\n  Logon Management                 3         3        3          3            3\n  Account Integrity Management               3         3          3          3\n  System Auditing Management                 3         3          3          3\n\n\nPassword Management\n\n      A password is a unique string of characters that must be provided\nbefore a logon or access is authorized to a computer system. Passwords are\nsecurity measures used to restrict logons to user accounts and access to\ncomputer systems and resources. Strong password controls protect system\nresources from unauthorized use, loss, or modification.\n\n    All five systems tested had one or more of the following password\nmanagement vulnerabilities:\n   \xe2\x80\xa2   All five systems had inappropriate password recycle intervals,\n       permitting users to re-use passwords too quickly.\n                                      -8-\n\x0c   \xe2\x80\xa2   Four systems did not implement a \xe2\x80\x9cfilter\xe2\x80\x9d enforcing password\n       complexity rules.\n   \xe2\x80\xa2   Four systems permitted users to have the same password for more\n       than 90 days.\n   \xe2\x80\xa2   Three systems either permitted blank or easily guessed passwords,\n       such as a password equal to the user name.\n   \xe2\x80\xa2   Three systems permitted user accounts with passwords less than eight\n       characters.\n   \xe2\x80\xa2   One system distributed user accounts using the Network Information\n       System (NIS), exposing encrypted passwords to any user with the NIS\n       password map.\n\nLogon Management\n\n       The first line of defense against unauthorized access is an interactive\nlogon process. The process normally begins with a warning banner,\ninforming the user of the proper use of computers on the network. Next,\nthe user is presented with a request for the user\xe2\x80\x99s information such as the\nusername, password, and the server or domain the user intends to access.\nIf the user\xe2\x80\x99s information is entered incorrectly, the system returns a logon\nfailure message and, after a predetermined number of failed attempts, locks\nout the user for a specified period of time. If the user\xe2\x80\x99s information is\nentered correctly, the system authenticates the user, matching the user\xe2\x80\x99s\ninformation with an account in the system\xe2\x80\x99s security accounts database.\n\n    All five systems tested had one or more of the following logon\nmanagement vulnerabilities:\n   \xe2\x80\xa2   All five systems had inappropriate user or global systems settings,\n       including the ability to make more than one simultaneous network\n       connection; incorrect or disabled account login/lockout parameters;\n       excessive grace logins; inappropriate screensaver settings; and\n       settings that allow unauthenticated access and idle sessions.\n   \xe2\x80\xa2   Four systems did not display a warning banner that informed users of\n       the consequences of unauthorized access.\n   \xe2\x80\xa2   Three systems did not follow their respective account naming\n       conventions, impeding individual accountability for user activities.\n   \xe2\x80\xa2   Three systems maintained inactive accounts, including accounts\n       associated with terminated employees, accounts never used, or\n       accounts without activity within the past ninety days.\n\n\n\n                                      -9-\n\x0c   \xe2\x80\xa2   One system did not have the intruder detection option enabled,\n       increasing the risk that unauthorized access would go undetected\n   \xe2\x80\xa2   One system did not change vendor-supplied passwords upon software\n       installation.\n\nAccount Integrity Management\n\n       Account integrity management controls the permissions for logging on\nto a computer or network. Proper expertise within a particular functional\nentity and clearly defined job duties and responsibilities are essential in\nmaintaining a system. Monitoring resource access violations allows an entity\nto predefine a threshold for flagging violations. A privilege enables a user to\nperform a security relevant operation or a command that, by default, is\nnormally denied to that user. Privileges must be tightly controlled and users\nclearly identified on the system in order to track their use of system\nresources.\n\n     Four of the five systems reviewed had one or more of the following\naccount integrity management vulnerabilities:\n   \xe2\x80\xa2   Four systems granted users inappropriate rights inconsistent with their\n       duties.\n   \xe2\x80\xa2   Three systems had inappropriate access to unrestricted shell accounts,\n       allowing users access to unauthorized commands, data, and\n       configuration files.\n   \xe2\x80\xa2   Two systems allowed users to break out of their startup scripts giving\n       users access to the command prompt.\n   \xe2\x80\xa2   One system had systems programmers without appropriate training or\n       oversight perform security administration duties.\n   \xe2\x80\xa2   One system\xe2\x80\x99s security software global options were set inappropriately\n       and generic logons were used to update critical systems software\n       datasets without an independent technical review.\n   \xe2\x80\xa2   One system had a root account trusting multiple servers through use of\n       an \xe2\x80\x9c.rhosts\xe2\x80\x9d file that included one non-existent machine.\n   \xe2\x80\xa2   One system did not use the Oracle product profile table and associated\n       Oracle configuration utilities to implement appropriate security controls,\n       allowing users to directly access and modify Oracle tables by\n       circumventing application controls.\n\n\n\n\n                                     - 10 -\n\x0cSystem Auditing Management\n\n      Auditing can provide the ability to detect and record security-related\nevents. It tracks the activities of users by recording information about\nspecific types of events, such as logon and logoff, file and object access, use\nof user rights, user and group management, security policy changes, restart,\nshutdown, and system events in a security log on the server.\n\n      For four of the five systems audited, we found one or more of the\nfollowing system auditing management vulnerabilities:\n\n   \xe2\x80\xa2   Three systems had auditing parameters incorrectly or inappropriately\n       set such that critical events and modification to sensitive system\n       applications, files, and registry keys could go undetected.\n\n   \xe2\x80\xa2   One system\xe2\x80\x99s audit logs were not reviewed.\n\n   \xe2\x80\xa2   One system was not set to secure event log files appropriately,\n       increasing the risk of log file destruction or alteration.\n\n   \xe2\x80\xa2   One system\xe2\x80\x99s programming activity was not monitored, increasing the\n       likelihood that unauthorized and undetected changes to the system\xe2\x80\x99s\n       environment may occur without appropriate review or oversight.\n\n       The technical control vulnerabilities occurred because Department\npolicy was insufficient, not uniformly implemented, or not fully enforced.\nFurther, the broadly stated, minimum standards imposed by the Department\nwere not supplemented with sufficient or imposed component-level guidance\nto fully secure the systems. In several areas of identified vulnerabilities,\nbroadly stated or minimally imposed standards allowed system security\nmanagers too much latitude in establishing system settings.\n\nCONCLUSION\n\n     The GISRA audits of the SBU systems revealed vulnerabilities with\nmanagement (M), operational (O), and technical (T) controls. The auditors\nassessed these vulnerabilities at a high to low risk to the protection of each\nsystem from unauthorized use, loss, or modification as shown in the table\nbelow.\n\n\n\n\n                                     - 11 -\n\x0c                          Audit Results of SBU Systems\n\n                                       Control\n        Areas of Vulnerability          Type     BOPNet EIS Firebird JCONII JDC\n   Security Policies and Procedures      M         3      3    3      3     3\n   Authorization of Software Changes     M                                  3\n   Risk Assessment Reporting             M         3      3    3\n   Contingency Planning                  O                3    3            3\n   System Backup Procedures              O                     3      3\n   System Configuration                  O                3    3      3\n   Password Management                   T         3      3    3      3     3\n   Logon Management                      T         3      3    3      3     3\n   Account Integrity Management          T                3    3      3     3\n   System Auditing Management            T                3    3      3     3\n\n      Overall, the audits found that Department-level and component\nsecurity policies and procedures were either insufficient or unenforced. The\nauditors concluded the Department did not provide timely and effective\noversight to ensure implementation of its security policies. For example, the\nDepartment took nearly four years to revise its overall security policy, DOJ\nOrder 2640.2D \xe2\x80\x9cInformation Technology Security,\xe2\x80\x9d after the OIG reported it\nas ineffective in September 1997. The Order imposes minimal standards\nthat are broadly stated, allowing components and system security managers\ntoo much latitude in establishing system settings.\n\n       We recommend a proactive approach to improve security controls of\nDepartment systems. Because of the repetitive nature of the security\ndeficiencies and concerns disclosed in this report, we conclude that a central\noffice with responsibility for system security is needed to identify trends and\nenforce uniform standards. We believe that a central office would\nconcentrate resources (time, money, and expertise) to identify and correct\nsystem security vulnerabilities most significant to the Department more\neffectively. Moreover, baseline security safeguards and controls should not\nvary according to the classification of system data, although data sensitivity\nmight warrant additional or increased measures of protection.\n\n      In addition, senior management benefits from having a single point of\ncontact responsible for overseeing activities that standardize, implement, and\nmaintain strict, baseline Department-wide security controls over both types of\nsystems. This office would also serve as a liaison between the Information\nManagement and Security Staff, the Security and Emergency Planning Staff,\nand the Assistant Attorney General for Administration.\n\n\n\n                                        - 12 -\n\x0c      In the GISRA summary report for classified systems, the OIG made\nspecific recommendations intended to improve Department-wide computer\nsecurity for both the classified and SBU systems. These recommendations\nalso apply to this report on SBU systems. We do not repeat these\nrecommendations here, but for reference purposes, include them in\nAppendix III of this report.\n\n\n\n\n                                 - 13 -\n\x0c                                                                 APPENDIX I\n\n                               BACKGROUND\n\n      PricewaterhouseCoopers LLP conducted the assessment of the overall\ncomputer security program and practices for the Department\xe2\x80\x99s sensitive but\nunclassified (SBU) systems by performing individual audits on five systems:\nthe Federal Bureau of Prisons Network (BOPNet); the Drug Enforcement\nAdministration\xe2\x80\x99s Firebird and El Paso Intelligence Center Information System\n(EIS); the Executive Office for U.S. Attorneys\xe2\x80\x99 Justice Consolidated Office\nNetwork II (JCONII); and the Justice Management Division\xe2\x80\x99s Rockville and\nDallas Data Centers (JDCs).\n\nThe Federal Bureau of Prisons (BOP)\n\n       The mission of the BOP is to protect society by confining offenders in\nthe controlled environments of prisons and community-based facilities that\nare safe, humane, and appropriately secure, and providing work and other\nself-improvement opportunities to assist offenders in becoming law-abiding\ncitizens. The BOP employs approximately 33,000 employees in its central\noffice, six regional offices, and approximately 29 community correction\nmanagement offices and 105 correctional facilities.\n\n      BOPNet\n\n      To fulfill its mission, the BOP uses automated information systems.\nOne of its more critical information systems is the BOP Network (BOPNet).\nBOPNet is a SBU client/server-based network that interconnects the BOP\ncentral offices and nationwide facilities\xe2\x80\x99 workstations. BOPNet uses Novell\nNetware and Windows NT Server operating systems and provides users\naccess to office automation software and BOP specific applications such as\nSENTRY. The BOP uses SENTRY to track its more than 158,300 prisoners.\n\nThe Drug Enforcement Administration (DEA)\n\n       The mission of the DEA is to enforce controlled substances laws and\nregulations of the United States and investigate organizations and\nindividuals that grow, manufacture, or distribute controlled substances. The\nDEA also recommends and supports non-enforcement programs that are\ndesigned to reduce the availability of illicit controlled substances worldwide.\n\n\n\n\n                                    - 14 -\n\x0c           Firebird\n\n       Firebird is a SBU system that provides office automation tools, e-mail\ncommunications, on-line case file database access, and other information\nresources to DEA administrative, investigative, analytical, and technical\nsupport personnel. Because of the sensitive nature of the data processed on\nFirebird, a compromise of the system could jeopardize the confidentiality of\ninvestigations and agent safety. Firebird is a client/server-based system\nusing Windows NT and UNIX operating systems.\n\n           EIS\n\n       The El Paso Intelligence Center (EPIC) is located on Biggs Army\nAirfield, an extension of Fort Bliss, in El Paso, Texas. Biggs Army Airfield is a\ncontrolled access United States Army military installation. Organizationally,\nEPIC is under the direct line authority of the DEA. EPIC management is\ncomprised of senior law enforcement representatives from several states and\n15 federal agencies. Overall coordination of EPIC activities is the\nresponsibility of the EPIC Director. EPIC\xe2\x80\x99s mission is to support United\nStates law enforcement and interdiction components through the timely\nanalysis and dissemination of intelligence on illicit drug and alien movements\nand the criminal organizations responsible for these illegal activities.\n\n       The EPIC Information System (EIS) processes data types, ranging in\nclassification from law enforcement sensitive to secret high4, that encompass\nhistorical intelligence, tactical, administrative, and office automation data.\nThe EIS is a mission critical operation that select EPIC personnel access 24\nhours a day, seven-days a week, with classified and unclassified sections\noperating separately. This report summarizes the audit results of the\nunclassified EIS section.\n\n       The EIS was designed to collect, process, and disseminate intelligence\ninformation concerning the movement of illicit drugs and currency, alien\nsmuggling, weapons trafficking, and other illegal related activities. The\nprimary repository of the unclassified intelligence data is the EPIC Internal\nDatabase (EID). The EID is an Oracle database accessed through a\ncombination of custom developed and commercial-off-the-shelf software.\nThe EID stores suspect and tracking files on people, organizations, vehicles,\nvessels, aircraft, and associated events for all unclassified intelligence\ncollected at EPIC.\n\n\n\n\n4\n    \xe2\x80\x9cSecret high\xe2\x80\x9d is a DEA sensitivity rating.\n\n                                                 - 15 -\n\x0cThe Executive Office for U.S. Attorneys (EOUSA)\n\n      The mission of the EOUSA is to provide the 94 United States Attorney\nOffices located throughout the 50 states, the District of Columbia, Guam, the\nMarianas Islands, Puerto Rico, and the U.S. Virgin Islands with general\nexecutive assistance, operational and administrative support, and coordination\nwith Department of Justice components and other federal agencies.\n\n           JCONII\n\n      The Justice Consolidated Office Network II (JCONII) is a SBU system\ndesigned to be the office automation system for the Department\xe2\x80\x99s\nmanagement, litigating, and related legal components.\n\n      Administrative support is facilitated through the use of commercial-off-\nthe-shelf applications residing on EOUSA\xe2\x80\x99s JCONII. United States Attorneys\nuse JCONII to access legal applications and EOUSA proprietary software. The\nJCONII system is a client/server-based network using both Windows NT and\nUNIX platforms.\n\nThe Justice Management Division (JMD)\n\n       The JMD Information Management and Security Staff\xe2\x80\x99s (IMSS) mission\nis to be the principal point of coordination in DOJ for compliance with federal\nagency requirements under information technology (IT) laws and directives.\nIMSS develops and implements policies, procedures, and guidance for IT\narchitecture and strategic planning, IT investment management, and the\nsecurity of the Department\'s SBU information systems.\n\n           JDCs\n\n      The Department of Justice maintains legacy5 systems housed on\nmainframe platforms at data centers in Rockville, Maryland and Dallas,\nTexas. The Rockville and Dallas data centers (JDCs) exist to provide secure\ninformation technology facilities, computing platforms, and support services\nfor the bureaus, offices, boards, and divisions within the Department. Since\nthe JDCs are managed as one unit, they were audited as a combined entity.\n\n\n\n\n5\n    \xe2\x80\x9cLegacy\xe2\x80\x9d refers to traditional electronic data processing general support systems and applications running on\n     mainframe computers with programming and operational support maintained in a centralized information\n     technology environment.\n\n                                                        - 16 -\n\x0c                                                            APPENDIX II\n\n               OBJECTIVE, SCOPE, AND METHODOLOGY\n\n      The objective of the audits was to determine the Department\xe2\x80\x99s\ncompliance with the requirements of the Government Information Security\nReform Act. In doing so, the OIG assessed whether adequate computer\nsecurity controls existed to protect Department systems from unauthorized\nuse, loss, or modification. To accomplish the objective, the OIG reviewed\nmanagement, operational, and technical controls for a subset of Department\nsystems. This report summarizes the audit results of the five SBU systems\nreviewed.\n\n      We interviewed component and system management personnel,\nreviewed system documentation, and performed testing to determine\ncompliance with Department and component security policies and procedures.\nThe audits were performed in accordance with Government Auditing\nStandards and took place from April through August 2001. The effectiveness\nof security controls was assessed by using commercial-off-the-shelf and\nproprietary software to conduct vulnerability assessments of the system.\n\n      The audit approach was based on the General Accounting Office\xe2\x80\x99s\nFederal Information System Controls Audit Manual, the Chief Information\nOfficer Council Framework, OMB Circular A-130, and guidance established by\nthe National Institute of Standards and Technology.\n\n\n\n\n                                  - 17 -\n\x0c                                                                                             APPENDIX III\n\n                                             RECOMMENDATIONS6\n\n     We recommend that the Acting Assistant Attorney General for\nAdministration (AAG/A):\n\n1) Establish a Department Information Technology (IT) Central Security\n   Compliance Office for classified and sensitive but unclassified systems with\n   the responsibility for:\n\n      a) Monitoring security-related activities by testing controls at each\n         component having classified systems (i.e. performing penetration tests\n         and providing those results to the affected components).\n\n      b) Reviewing the number and types of security deficiencies identified in\n         each component\xe2\x80\x99s periodic reports.\n\n      c) Evaluating each component\xe2\x80\x99s compliance with Department security\n         policies especially in areas of reported weaknesses and establishing\n         processes and procedures to enforce existing policy such as passwords,\n         account lockout, and system auditing management.\n\n      d) Assisting component Security Program Managers in assessing security\n         risks, identifying hardware/software security deficiencies, and providing\n         policy and procedural guidance as needed.\n\n2) Charge the Department IT Central Security Compliance Office with\n   ensuring that all components have current, documented, and tested\n   contingency plans.\n\n3) Charge the Department IT Central Security Compliance Office with\n   developing a comprehensive corrective action plan to fully and timely\n   address all Department-wide IT control weaknesses previously identified in\n   security reviews and audits. Additionally, measures should be prescribed\n   and oversight provided to ensure that component corrective action plans\n   are prepared and that vulnerabilities are corrected. Eliminating repeat\n   findings should be a priority.\n\n\n\n\n6\n    These recommendations are presented in our GISRA summary report for classified systems. Corrective action will\n    be tracked as part of the follow-up process for that report. See Appendix IV.\n\n                                                      - 18 -\n\x0c4) Require each component Security Program Manager to:\n\n  a) Have full knowledge of and familiarization with current Department\n     information technology security policies and procedures, including DOJ\n     Order 2640.2D and other departmental policies related to classified and\n     unclassified systems.\n\n  b) Report component compliance with Department security policy\n     requirements.\n\n  c) Ensure a security administrator is designated within each component for\n     reviewing system security posture in accordance with Department\n     security policy. In the case of multiple platforms or operating systems\n     supporting component systems, an administrator should be designated\n     to represent each unique platform.\n\n  d) Ensure periodic computer security training is provided for each platform\n     supported and require attendance by the designated security\n     administrators.\n\n  e) Develop and enforce security policies or apply industry best practices, to\n     assess and counter evolving computer security vulnerabilities.\n\n5) Require each component Security Program Manager to periodically report\n   to the Department IT Central Security Compliance Office on the compliance\n   of individual systems within their component relative to requirements\n   outlined in Department security policies and procedures. Upon its review\n   of the reports, the Department IT Central Security Compliance Office\n   should bring areas of concern to the attention of the AAG/A.\n\n6) Establish and implement guidance to ensure systems\' security is monitored\n   sufficiently, efficiently, and consistently. Specific areas that need to be\n   immediately addressed include:\n\n  a) automated monitoring of security policy compliance;\n\n  b) automated logging, auditing, review and notification of security relevant\n     events;\n\n  c) requiring intrusion detection testing; and\n\n  d) requiring application and operating system patches be kept current.\n\n  (Note: According to JMD, they began addressing some of the above areas\n  after the audits were completed.)\n\n\n                                    - 19 -\n\x0c      Although DOJ Order 2640.2D addresses many areas of identified system\nsecurity vulnerabilities, it still lacks sufficient guidance in several areas. The\npolicy should be specific to each operating system (Windows NT, Novell, and\nUNIX) so that the requirements are not misunderstood or inappropriately\napplied (i.e. some procedures may apply to Windows NT systems but not to\nUNIX systems). Further, procedures need to be developed to provide more\nspecific guidance when necessary.\n\n   Therefore, we recommend that the AAG/A:\n\n7) Require periodic updates that supplement DOJ Order 2640.2D based on\n   observed component needs, the evolving computer security environment,\n   and industry best practices. We recommend that the AAG/A promptly\n   review the adequacy of guidance for the following areas:\n\n   a) password management (including task versus user accounts);\n\n   b) accountability and audit trails;\n\n   c) access controls;\n\n   d) account integrity management, including monitoring of account\n      disposition (dormant accounts);\n\n   e) logon management;\n\n   f) service accounts - changing the default password;\n\n   g) assignment of user rights and advanced user rights;\n\n   h) renaming guest and administrative accounts; and\n\n   i) backup procedures.\n\n\n\n\n                                         - 20 -\n\x0c                                                               APPENDIX IV\n\n     VIEWS OF RESPONSIBLE OFFICIALS AND STATUS OF REPORT\n\n       In the GISRA summary report for classified systems, the OIG made\nspecific recommendations intended to improve Department-wide computer\nsecurity. Although those recommendations are applicable to both the\nclassified and SBU systems, they are included in this report for reference\npurposes only and will be tracked as part of the follow-up process of the\nGISRA summary report for classified systems.\n\n      We issued this report in draft to obtain review and comment from\nresponsible Department officials. The Acting Assistant Attorney General and\nChief Information Officer responded that they had no comments. There are no\nrecommendations in this report. Therefore, this report is closed.\n\n\n\n\n                                    - 21 -\n\x0c'